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1.  1 MTROU JCT 1  UN 


0  x  f  0  r  d 

In  Section  'c  we  present 
Dresentsa  It,  but  using 
conbinetors  S  ena  <?. ,  since 


a 


,LC*  'S^based  on  a  Ionic  of  Dana  Scott,  proposed  by  him  a* 
•n  the  rail  1969,  for  reasoning  about  computable  functions 

th.s  Ionic,  essentially  as  Scott  himself 
the  typed  x-calculus  instead  of  the  tyoed 
•  7  jhfl  f °rnfir  >s  more  familiar  to  computer 
scientists  and  is  ,n  any  case  easier  to  work  with  Section  1  then 
describes  the  machine  implementation  of  ’  S*  *  0  3  then 

o  gi  c ,  we 

. .  ”  °r  typed  LCF ,  or  Just  LCF, 

Tn*  i  m  i  c  br  t  mp  spatial 

\l*\*  or  ;  p 

H  t  scott  ^ivi  »n  a*  if  (rut  Ust  Ian 
oa-ti-i  r*  if>nrti  tat  len  *ar  1;*+*  In 
re'JL  %r  -  r.ij,  *dW*j,|ni2e  0r  r  ecur  5  r  e" 
prn^cjp  i  (  m 


u  -  -  proof-checker  for  the 

looic  for  cX'trSl  Talons?  I™' ion  a,  th.  tyo.d 


Qomaln  of  computation  {#,gh 
corticui*!1  domains  can  ct  axlomttlzad  |  n 
far  ir ' thmatle  and  w*  sud;*it  a 
in  S»tt  ‘on  j,  lut  mi  my  Intiraatlhg 
iouttlan  jsha.Tiat*  •  t  r  t 

<ni"  nuf(  logic  without  <ny  tracer  1  non*.  \  eg  <  ca  I )  ixfum, 

It  is  hoped  that  a  potential  user  of  the  system  can,  with  the 

the  examr>|p  of  Section  3,1  and  with  Section  4,  a«t  onto  tho 
macn.ne  without  reading  the  whole  of  this  document.  *  th 


he 


of 


Further 


discussion  of  LCF  and  examples 
can  n e  foun-1  in  the  following  papers! 


of  Its  aDD I i cat i ons 


Milner. R.  "implementation  and  applications  of  Scott's  logic  for 
compute. t  e  functions",  pr0r.  ACM  Conference  on 
about  P  r  0 1  r  a  n  s  ,  v;  e  „•  Mexico  State  Li  n 
Jan  b-7,  ly 7? , 


vepsity,  Las 


Proving 

Cruces, 


Assert  I ons 
Mew  Mexico, 


We.vhrauch.F?,  and  *«  | 
mechanized  I cu i c" , 
19/2  (to  appear), 


ner,  "Program  semantics  and  correctness  in  a 
Pfoc,  USA-japan  Computer  Conference,  Tokyo,  Oct 


Milner  and  WeyhrHucn,  "Proving 
logic",  Machine  Intelligence 
Press  1972  ( to  appear )  , 


compiler  correctness  in  a  mechanized 
7,  ed,  D,  Michie,  EdinbUrgh  University 


Newey,Mt,  "Axioms  and 
LCF",  forthcoming 
University,  1972, 


Theorems  for  integers 
A I  Memo , ,  Comp  ute  r 


I ists  and  finite  sets  in 
Science  Dept,,  Stanford 


We  give  no  further  references  hepe;  they  may  be  found  in  the 
papers, 


above 


2,  THE  LOGIC  lcf 


Types 


At  oottom  "tr"  and  "ind"  ar«  types,  Further  if  Pi  and  P2  are  types 
ther,  Js  a  tyoe,  We  adopt  the  convention  that  *  associates  to 
tno  right  and  freyuantly  onit  parentheses*  thus  we  write  Pi-.P2*P3  for 
(Plt(M2«Q3))(  With  each  term  of  the  logic  there  is  an  unamb i ououa  I  y 
associated  type ,  Foratermtwewplte 


P 


to  -rean  that  the  type  associated  with  t  Is  P.  Throughout  we  use 
P.31.P2,,,,  as  met^'/a  r 'ad  |  os  for  types. 


Terrrs  ( ire  ta  va  r  i  ab  I  o  s  s .  t .  si » tl .  .  .  .  > 


The  following  are  terns: 

I  dent i f i e r a ( netavar I ab I es  x,y)  -  sequences  of  upper  or  lower 
letters  and  digits,  we  assurie  that  the  type  of  each  Identifier 
is  uniquely  determined  In  some  manner. 

Applications  -  s(t)  :  *  where  s:Pl-l*2  and  t:Pl, 

Conditionals  -  (s*tl*t2)  :  P  ,  where  s  1 1  r  and  1 1  * 1 2 • P * 

X-axppess  i  ons  -  CXx.s]  :  01*1*2  *  where  x:Pi  and  s:P2. 

“-expressions  -  C“xts]  :  P  ,  wnere  x*s:P, 

Tn i s  strict  syntax  is  relaxed  In  the  machine  i mp I enentat I  on  (see 
Section  3)  to  allow  a  saving  ot  parentheses  and  brackets. 

The  Intended  interpretation  of  the  “-expression  C«f,sJ  is  the 

minixal  fixed-point  of  the  function  or  functional  denoted  by  Cxf  s'* 
For  a  xarrp  |  e  : 

C“f,C\x,(p(x)-»f(a(,v)),r»(x))3  3 
denotes  tne  function  defined  recursively  as  follows: 

f(x)  <=  if  p(x)  toon  f ( a ( x  )  )  else  b(x), 


4 


Constants 


Tne  identifiers  TT,rf  denote  truthvalues  true  and  false,  yu  denotes 
the  totally  undefined  object  of  any  type:  in  particular#  the 
undefined  truthvalue. 


Atomic  well-formed  formulas  <awffs> 


The  following  is  an  awff: 
s  e  t 

where  s  ana  t  are  of  the  same  type.  The  intended  interpretation  of 
s«=t  is#  roughly,  tnat  t  Is  at  least  as  well  defined  as#  and 
consistent  with,  s, 


Well-formed  formulae  (wffs)  < metavar I ao I es  P# Q, PI # 01#  .  , .  ) 

wffs  are  sets  of  zero  or  more  awffs,  written  as  lists  with  separating 
comiras.  They  are  interpreted  as  conjunctions.  We  use 

s  =  t 

to  abbreviate  tcs  . 


Sentences 

Sentences  ar®  Implications  between  wffs#  written 

P  I  -  Q 

or i  'f  P  is  emnty#  just 

I-  a 


p r  oc  f  s 


A  proof  Is  a  saauence  of  sentences#  each  being  derived  from  zero  or 
more  preceding  sentences  by  a  rule  of  inference, 
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Inference  rules 

Let  us  write  P(s/x)  or  tis/x)  for  the  result  of  substituting  s  for 
all  free  occurrences  of  x  in  p  or  t,  after  first  changing  bound 
variables  In  P  or  t  so  that  no  variable  free  In  s  becomes  bound  by 
the  substitution,  We  have  not  stated  conditions  on  the  types  of 
Identifiers  ana  terms  with  each  rule;  any  consistent  assignment  of 
tyD6*!  Is  aflm  I  ss  i  o  I  e  , 


PULES  »#*** 


IN' CL 


A  PPL 


RtFL 


TRANS 


MINI 


MIN2 


p 

p  1- 

1  -  3 

■  01  P  1-  02 

P  1-  31JQ2 

PI  1 

-  P2  P2 

1- 

PI  |-  P3 

c  RULES 

si  C 

s2  1-  t<sl>  =  t<s2) 

p  1 

S  e  s 

p  1 

"  3 1  c  s  2 

P  |  - 

p  1-  si  e  s3 

#  *  ft  •  * 

uu  rules 

•  *#  #  * 

1  - 

U'J  c  s 

I-  UU<s>  c  LIU 
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#•*##  CONDITIONAL  RULES 
CONDT  . 

I "  TT  ■*  s»  t  s  s 

CONDU  . 

I-  UU  -  s*t  =  uu 


CQNDF  . 

|-  FT  ■*  git  =  t 


X  RULES 


P  I-  s«t 

ABSTR  - - - - - —  (x  not  *r«e  In  P) 

P  I-  CXx.s]  c  CXx , 1 3 

CONV  . - 

I-  CXx.sKtJ  =  s<t/*> 

ETaCONV .  (x  and  y  distinct) 

I-  CXx , y ( x ) 3  =  y 
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3.  THE  MACHINE  IMPLEMENTATION  OF  ICF 

We  now  descrioe  the  machine  version  of  the  logic  of  Section 
2 ,  and  how  to  use  It  interactively  on  the  machine. 

The  user  n*s  available  four  groups  of  commands* 

•  Rules  of  inference  -  to  generate  new  sentences  or  stepB 
from  zero  or  more  previous  steps,  (Section  3.2) 


Before 
te  rir  s » 


*  Goal  Oriented  Commands  -  to  specify  and  attack  goals 
and  subgoals,  (section  3.3) 


•  Miscellaneous  -  mainly  to  do  with  displaying  or  filing 
parts  or  ail  of  the  proof  so  far,  and  the  goals.  (Section  3.4) 


•  Commands  for  axioms  and  theorems  -  to  enable  the  user  to  create 
axiom  systems*  to  Prove  and  file  theorems  in  these  systems,  and 
later  to  recall  and  instantiate  those  theorems.  (Section  3.7) 


aescrlDlng  the  commands  In  detail,  and  the  syntax  of  wffs, 
etc,,  It  may  oe  helpful  to  see  an  example, 


3,1  An  Exanp i e 


Let  us  Introduce  the  macnine  version  of  LCF  by.  a 
ie  which,  although  short,  exhibits  many  of  the  features, 
of  a  version  of  recursion  I nduc t > on ,  wh I ch  states  that 

recursively  and  G  (another  funotlon)  satisfies  F 

In  other  words,  we  prove  that  f  Is 
defining  equation, 


exairo  I  e 
a  d  r  o  b  f 
is  oef  i  ned 

recursive  definition  then 

minimal  fixed  Point  of  Its 


simple 

It  is 
If  F 
satf  sf i es  F'  s 


F«G. 


the 

After 

asterisks  as  a 


aster  i  sks  are 
Thus,  I  r  wnat  foil  ows 
being  preceded 
contribution  on 


Initialization  (see  Section  4),  the 
signal  to  the  user  to  start  a  proof. 
always  the  signal  for  the  user  to 
the  user's  contribution  may 
«»»«»,  we  explain  each 
of  a  vertical  line. 


by 

the  right 


system  types  5 
In  fact,  5 
continue  his  proof, 
be  d I st I ngu I sned  by 
user  and  machine 


o  r 


**«-#*ASSUMt  FiC®F,FUN  F  1 ,  3  =  FUN  j»  »  . 

iThe  user  assumes  a  wff  (a  sequence  of  atomic  wffs 
I  sepa  r ated  oy  commas,  where  each  atomic  wff  as  = 

|c  Infixed  between  two  terms).  Every  user 
Icommanc  ends  with  a  semicolon.  Detailed  syntax  is_ 

Iglven  |ater  -  but  note  in  particular  that  application 
Imay  be  represented  (sometimes)  by  juxtaposition  as  In 
|  »FUN  G"  to  save  parentheses.  ‘Note  also  that  F  occurs  both 
lfree  and  D0Und  3)  without  confusion. 
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1  F=C«F.FUN(F)3  (D 

2  G  =  FUMG)  (2) 

iThs  machine  separates  the  assumption  Into  two  sentences# 
Igivlng  each  a  steonumber.  Every  sentence  which  the 
Imachine  generatas  will  have  a  stepnumber,  and  will  consist 
of  a  wff  followed  by  a  list  of  stepnumbers  of  assumptions 
Ion  which  the  wff  depends.  A  sentence 
I 

I  n  p  S 


I  wnere  Pisa  wff  and  S  a  I  i 
lenaloyue  In  LCF  of  the  sentence 


st  of  stepnumbers  is  the 


1  G  |-  P 

I 

I  of  DUre  l>c”  *  where  Q  Is  the  conjunction  of  assumptions 
Ideslgnated  by  s.  Each  of  steps  1  and  2  above  thus 
I  represents  an  Instance  of  P  |-  P,  which  is  a  special 
lease  of  the  Inclusion  rule  of  Section  2, 


GOAL  FcGi 


iThe  user  states  his  goal#  but  does  not  attack  it  yet. 

|He  right  list  several  goals  before  attacking  any  of  themj 
l  In  each  case  the  machine  w|  |  |  simple  give  a  goal  numbers 

NEWGOAL  *1  FcG 


iGoal  numbePs  are  distinguished  from  stepnumbers  by  #, 
#*«m«TRY  1  INDUCT  1; 


l 

IThe  user  wants  to  attack  C0AL1  using  the  tactic  of 
1  Induction  on  Step  1  -  which  is  (as  It  must  be)  a 
(recursive  definition  -  l.e.  F  =  [«F  ,F(JN(F  )  ]  , 

NEWGOAL  *'1*1  LiUcc 

NEWGOAL  *1#2  FUN(Fi)cG  ASSUME  FlcG 


IThe  machine  says  that  the  Induction  base  and  step 
jmust  be  established,  For  the  step  It  picks  an  arbitrary 
(Identifier  not  used  previously  (actually  for  mnemonic  reasons 
it  picks  something  which  only  differs  from  the  Instantiated 
I  bound  variable  In  Its  numerical  suffix), 

Ike  now  have  two  goals  generated  by  the  machine,  at 

la  lower  level,  The  user  need  not  -  but  probably  will  - 
Ichoose  to  prove  #1  by  proving  #1#1  end  #1#2, 


►  TRY  l; 
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(User  chooses  to  attack  #l#l  first.  He  need  (and  must) 

I o n | y  r«f@r  to  the  goal  by  the  last  Integer  In  Its  goal 
Inumber,  This  tiro*  he  doesn't  state  a  tactic  -  he  knows 
Ihow  to  prove  It  hlroself  -  so  the  machine  merely  steos  down 
la  level  in  the  goal  tree  and  waits.  Actually,  he  could 
luse  the  slMPL  tactic  (see  Section  3.3)#  since  this 
Itactic  notices  Instances  of  MINI  and  would  therefor* 

Isave  the  us*r  his  next  two  commands. 

MINI  G> 

ITho  user  notes  that  the  subgoal  UUeG  can  be  Droved 

I  by  the  first  minimality  rule  (see  Section  2).  so  calls 
lit  with  the  aDDroorlate  term  -  G  -  as  Daramet*r. 


3  UUeG 


iThe  machine  obediently  generates  the  orooer  instance  of 

Imlnlmallty,  Notice  that  this  sentence  deoends  on  no 
I assumDt lons . 

. . 

IThe  user  can  say  QED  to  tell  the  machine  that  he  has 
I oroved  exactly  the  goal  under  attack, 

GOAL  #1#1  PROVED.  BACK  UP  TO  GOAL  #1 
REMAINING  SKOALS! 

2  FUN(Fl)cG  assume  FicG 

IThe  machine  agrees.  Now  In  general  It  will  back  ud 
lth0  goal  tree  until  it  fin^s  a  goal  some  of  whose  su^goals 
lhave  not  been  Droved,  It  will  remain  at  that  level  and  list 
Ithese  subdoals  for  the  user  to  try. 

#*#»«TRY  2) 

lAgaln.  us*r  gives  no  tactic. 

4  F1«G  (4) 

IThe  machine  makes  the  assumDtlon  of  the  goal  for  him  (note 
Ithat  goal  #l#i  had  no  assumDtlon),  and  waits. 

**•*• APPL  FUN , 4  J 

I ** A p p  1  y  FuN  to  Steo  4"  -  an  Instance  of  aDDllcatlon  (see 
I  Sect  I  on  2  > , 


5  FUN(F1)«FUN(G>  (4) 
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*«#«*SYM  2; 

(Turn  step  2  around  ready  for  an  application  of  transitivity, 

6  FUN  <  G ) EG  (25 
•••••TPANS  5,6J 

iNote  that  tha  parameters  of  inferance  rules  art  always 
Istepnumbers  or  tarns,  separated  by  commas, 

7  FUN<Fl)cG  (2  4) 

. . 

GOAL  #1#2  PROVED,  BACK  UP  TO  GCAL  #1.  NO  MORE  SUBGOALS 
0  FcG  <2  1) 

l-----Tne  machine  hasn't  finished  yet,  but  not®  that  it 
Imakes  an  explicit  step  to  represent  the  proof  of  #1  (so 
Ithat  tne  whole  seauenoe  of  steps,  with  all  the  goal 
Istructura  strlpoed  away,  shall  be  a  formal  proof).  Note 
lalso  the  assumptions  of  steo  8, 

GOAL  #1  PROVED.  PACK  UP  TO  TOP  LEVEL.  NO  MORE  SUBGOALS. 

I (There  mjght  have  been  more  goals  listed  at  top  level, 

Isince  the  user  can  list  many  before  attacking  any), 

. SHOW  PROOF  RECIND; 

I  The  user  decides  to  keep  his  Proof  on  a  file  called  RECIND. 
IThe  version  kept  Is  shown  below.  Notice  that  not  every¬ 
thing  which  the  user  typed  reappears;  In  partioujar,  the 
Istatement  of  a  goal  is  not  reproduced,  only  its  trial, 

Ilf  the  us®r  wanted  instead  to  display  his  proof  (at  any 
Ipolnt,  not  just  at  the  end)  he  would  just  type  ’’SHOW  PROOF  I" 

PROOF 

1  F  r  C«F,FUN(F5]  (1)  -  ASSUME. 

2  G  E  FUN ( G )  (2)  — •  ASSUME. 


TRY  #1  F  «  G  INDUCT  1. 

I  TRY  #1#1  UU  e  G 
|3  UU  c  G  - MINI  G. 
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I  | TRY  *1#2  FUN(Fl)  c  G  ASSUME  Fl  c  C  . 

I  1 4  Fl  c  G  (4) - ASSUME. 

I  1 5  FUN(Fl)  c  FUN(G)  (4)  ----  APPl  4  FUN. 

1  |6  FUN(G)  =  G  (2) - SYM  2. 

|  1 7  FUNtFl)  c  G  (4  2) - TRANS  5  6. 


i6  F  c  G  (2  1)  -  INDUCT  3  7. 


3.2  Rules  of  Inference 


Let  u 5  assume  for  the  nonent  the  syntax  classes  <wff>,  <awff> 
(atCTlc  wff),  <term>.  Details  of  these  are  In  Section  3,6»  but  for 
now  look  only  at  the  conventions  given  for  syntax  definitions  at  the 
start  of  that  Section, 

We  need  for  tho  present 

<stepnanre>  <inteoer>l  I  •  <ldentifier>  ?(  (  +  I-)  <integer>  ) 

<ter^naire>  ::=  ?{  :  3 1  :  <stepname>  )  ?(  :<integer>  )  <:Ll:R) 


<range>  <stepname>  I  ?<stepname>  :  ?<stepnane> 

In  a  <stepname>  means  "the  last  step",  means  the 

last  step  but  one,  etc,,  and  for  example  ",DD-1"  means  the  step 
preceding  tnat  labelled  DD,  See  Section  3,4,  the  LABEL  command,  for 
how  to  lapel  steps. 

A  <termname>  nay  appear  anywhere  that  a  term  can  appear  -  for 
example  as  a  subterm  of  a  term  -  and  frequently  saves  typing  long 
formulae,  we  exolain  ternnames  by  a  few  examples  (suppose  the  last 
step  was  numbered  15)  . 

s 15 : 1 : R  ) 

:  - :  1 :  R  ) 

: 1 5 : R  )  a|l  designate  the  term  whlch  occurs  as 

-:R  )  right  hand  side  In  the  first  <awff>  of  Step  15. 

:r  ) 


:.DD;2.L  designates  the  I n s  of  the  second  <awff> 

of  the  step  laoe lied  DD , 

: G ! 2 : R  )  designate  the  rhs  of  the  second  <awff>  of 

the  current  goal  -  THIsGoAl  (See  Section  3.3) 

The  <range>s  12,  23:30*  540,  53:  denote  respectively  the 

single  step  12,  the  steps  23  to  33  Inclusively,  the  steps  up  to  and 
includirg  43,  and  the  st90s  from  53  onwards, 
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We  now  |lst  trie  rules,  with  some  examples.  Note  that  In  the 
machine  Implementation  there  Is  no  tyoe-checK I ng  whatsoever.  We  rely 
on  the  user  to  use  tyoes  consistently. 


ASSUME  <wff>> 

Each  <awff>  a|  In  the  <wff>  Is  given  a  new  stepnumber  ni, 
and  the  steps 

nl  Al(nl) 
n2  A2<n2> 


are  generated.  Each  one 

Is  a  tautology*  since  a  step  p(n)  means  Q  I*  P,  where 
G  Is  the  <awff>  at  step  number  n.  Thus  the  purpose  of 
ASSUME  Is  only  to  Introduce  references  for  <awff>s. 

See  Section  3,1  for  examples  of  ASSUME. 

SASSUME  <wff>; 

Like  ASSUME,  but  every  <awff>  of  the  <wff>  Is  henceforward 
treated  as  a  simplification  rule  (see  seotlon  3,5), 

I  NCI  <stepname>,  <integer>; 

Picks  out  an  <awff>.  Example: 


1 15  2=F(X,Y),  A2B,  CXX  ,  X }  (  Y )  <=i4  <  13  7> 
|***»*INCL  15, 2{ 

116  A=B  (13  7) 


CON J  ...*<range>, j 

Forms  conjunction  of  all  steps  In  the  <range>s.  Example: 


115  Rcq,R=S  (12) 


117  r=G  (12  4) 

l####*£0Nj 

lie  Rcq,  R=s,  FiG  (12  4) 


CUT  <stepname>,  <steoname>; 

If  the  steps  referred  to  are  P(ml,m2,,.>  and  Q(nl,n2#,.> 
respectively,  where  the  m's  and  n's  are  stepnumbers, 
and  If  every  <awff>  referenced  by  the  n's  occurs  as  an 
<awff>  In  P,  then  the  step  Q(ml,m2,,.)  |s  generated. 
Examp  |  e : 
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17  F  =  G  (7) 


112  P= 0  (7) 


115  P=G»  G=H  (14  2) 
|**###CUT  1 5  # 12; 

116  pcQ  (14  2) 


HALF  <st*pname>; 

Replaces  "  =  "  by  "c"  In  the  first  <awff>,  and  throws 
the  rest  away,  Example: 


16  X  =  G( X  )  ,  Y  =  H< Y) 

l*****HALF  6 1 

17  XcG(X)  (1  3) 


<1  3) 


SYM  <stepnane>; 

Interchanges  the  terrrs  In  the  first  <awff>  (provided  "  =  "  occurs) 
and  throws  the  rest  away.  Example  (continuing  the  previous): 


I . SYM  6j 

13  G(X)=X  (1  3) 


TRANS  <stepname>,  <steDname>i 

Looks  at  the  first  <awff>  In  each  <wff>.  If  these  are  3l(s|c)s2, 
s2<5lc>s3  respectively,  then  slcs3  or  sl  =  s3  Is  generated,  the 
assumptions  being  "unioned”.  Example: 


112  X=Y(Z>,  P=0  <11  4) 


113  Y ( Z  >  c Y ( X )  (4  9  0) 

I  •••••TRANS  12,13; 
ll<  X  c  Y ( X )  (11  4  9  8) 


APPL  (<stepname>,  _ ,<t®rm>, _  I <t®r m> , <stepname>) » 

In  the  first  case#  applies  both  sides  of  the  first  <awff>  of 
<stepnams>  to  the  <term>s  In  seauence. 

In  the  second  case,  applies  the  <term>  to  both  sides 
of  the  first  <awff>  of  <stepname>.  Examples: 


lid  X  =  Y ( Z  ) »  PCQ  (9  4) 
l#*#»*APPL  F ,  1  Ci ; 
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III  F(X>sF(Y<r) )  (94) 

I  . 

122  F  =  [ XX , X  J , pcU  (11  4) 

I  2 2, : - : 2 : R! 

123  F(Q)5CXX.30(Q>  ( il  4) 


ABSTR  <stepname>, _ , < i dent  I f i e r > , ...  ; 

Does  X-abst  ract  i  on  on  1st  The  Identifiers 

must  not  occur  free  In  any  of  the  assumptions  of  the  step, 

Examp | e ( cont I nu i ng  the  previous): 


|*»*»*ABS7R  2  2 ,  F  » 

124  [XF.F3=CXF.CXX.X33  (11  4) 


CASES  )  These  are  not  Present  as  inference  ruies»  since  it  Is 

)  less  tedious  to  use  their  goal  oriented  versions  (see 

INDUCTION  )  Sect  I  o'1  3.3). 


CQMV  (<steoname>|<term>) ; 

Does  all  X-conver  s  I  ons  In  the  <term>  or  <stepnamo>.  Example: 


114  B=CXX.X<X)3CXX.X(Y>3 

|  •••••cONV 

115  ?=Y(Y) 


Remark;  the  term  In  14  violates  the  type  structure,  but  the 
system  does  not  chack  this, 

FTACONV  < te r m> ; 

Eta-converts  the  <term>,  provided  It  has  the  form  CXx.s(x)], 
*lth  x  not  free  In  the  term  s.  Example  (remember  that 
F ( X , Y )  abbreviates  ( F  <  X ) > ( Y )  ) : 


|**#**ETAC0NV  C\Y.  F ( X , Y ) ]  ; 
149  CXY.  F(X,Y)]=F(X> 


ECU  I V  <stepname>,<3tophame>; 

Looks  at  the  first  <awff>  In  each  <wff>,  If  these  are  slcs2, 
s2csl  respectively,  then  slis2  is  generated.  Example: 


116  Xe Y i  P 50  <12> 


15 


H7 

I  •• 

us 


YCX #  HcG  (1  2) 
*EQU  I V  16» 17; 

X  =  Y  (12  1  2) 


REFL1  <tcrm>; 

Gives  tit  wherfl  t  Is  designated  by  t mterm,  Examplei 


I  ••#**REFL  X ( XX ) ; 
119  X  ( XX )  =  X(XX) 


REFL2  <t®rm>> 

Lika  REFLl#  but  gives  t  =  t. 

MINI  <term>; 

Gives  UUctt  Example:  see  Section  3.1 
MIN2  <t®rm>; 

Gives  UU(t)5Ull.  Example  (continuing  the  previous): 


I . .  :  L ; 

120  UU < X ( XX ) )  =  UU 


CONDT  <term>: 

Checks  that  the  <term>  t  has  form  TT*sl»s2  and  If 
so  generates  t=sl.  Example: 


121  F ( X )  =  TT-X,F(G(Y,X)  )  (10) 
I  •••••CONDT  :R: 

122  TT-X.  F  <  c. (  Y #  X  >  >  =  X 


CONDF  <term>; 

Checks  that  the  <term>  t  has  form  FF*sl#s2  and  If 
so  generates  t=s2, 

CONDL  <term>; 

Checks  that  the  mterm  t  has  form  lMJ'*sl»s2 
and  If  so  generates  t  =  JU, 

F I XP  <steDname>; 

Cheoks  that  the  first  <awff>  is  a  recursive  definition 
e.g,  ssC«G,t]*  and  generates  s=t<s/G>.  Example: 


I  ?3 

I  »* 

I  2* 


F  2  C ®G , H ( [\F , G ( F  )  3  >  3 
•FIX?  23; 

F  =  H  <CXf1.F«f1>3) 


SUBST  <stepname>  ?(  OCC  _ , < i nteger > # ...  >  IN  (<stepname> | <t» rm> ) i 

Let  the  first  <stepname>  have  tl  S  t2  ae  Its  first  <awff>,  where 
5  stands  for  =  in  case  ( 1 ) (  and  for  =  or  c  in  case  (2), 

Case  (i),  If  th^r»  Is  an  <stapname>  following  "IN"  ,  then  t2  Is 
substituted  for  all  occurrences  designated  by  the  <Inte9*r>* 
list  (or  all  occurrences#  If  no  list)  of  tl  In  the  <wff>. 

Case  (M),  if  there  Is  a  <term>  s  following  "IN”  then 

s  4  s'  is  generated,  where  s'  Is  the  result  of  substituting  t2 
for  the  appropriate  occurrences  (as  in  case  (i))  of  tl  In  s'. 

Note  that  for  tl  to  occur  In  a  term  s  any  occurrence  of  a  free 
variable  in  tl  must  not  be  bound  In  s.  Also  see  the  caution  on 
occurrence  numbers  In  Section  3,6, 

E  xamp I e : 


125  CXX.F(X)]  c  G(F(X).F(X>)  (2  3) 


126  F(X)  =  X  (51) 

|*****SUbST  26  Occ  1  IN  25; 

127  CXX.r(X)]  =  G<X,r(X>>  (2  Z  5  1) 

I  ****#SUgST  26  IN  J  25  5  R  * 

128  C<F(X).F(X))  =  (5  1) 


SIMPL  (<stepname> | <term>)  ? _ (  (BYlWO)  ... » < r«nge> # ...  ) 1__  > 

In  the  case  of  an  <stepname>,  Its  <wff>  Is  simplified 
(see  Section  3,5)  using  as  simplification  rules  those  In 
SIMPSET  together  with  those  designated  by  the  <range>»|lst 
following  each  "BY",  and  without  those  designated  by  the 
<ranae>-Mst  fo|  owing  each  "WO",  A  <term>  t  is  similarly 
simplified,  to  tl  say,  and  t  =  tl  is  generated,  The  SIMPsET 
remains  unchanged, 

Example,  continuing  the  previous  (Section  3.5  gives  more  detail); 


I  . 

I2g  CXP,P*F(X),Y3(TT)  e  UUCX)  (10) 
|  **#**S J MPL  -  3Y  26} 

130  X=UU  (10  5  1) 
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This  hapoens  because  CONV,  CONDT,  MIN2  are  among  the 
simplification  rules, 


3,3  Goal-Oriented  Commands 


Anything  provable  witn  the  goal  oriented  commands  Is  provable 
In  PURE  LCF,  but  most  oroofs  would  then  be  tedious  (that's  why  we 
only  describe  the  INDUCTION  and  CASES  rules  in  goa I -or J ented  form). 
Experience  shows  that  with  the  goa hor I  anted  commands  the  user  has 
only  to  type  a  small  fraction  of  what  he  would  otherwise  have  to 
type. 

The  user  may  generate  a  subgoal  structure  of  arbitrary  depth. 
This  structure  Is  represented  by  three  entities,  GOALTREE*  GOaLLIST 
and  ThISGOal*  ThiSgOaL  Id  always  the  goal  currently  under  trial,  all 
its  ancestors  In  GOaLTREE  are  (Indirectly)  also  under  trial,  the 
subgoals  of  THISGOAL  are  listed  In  GOALLIST.  Each  goal  has  a  goal 
number  -  e«g.  #1#2#3  -  which  indicates  its  ancestors  and  (bV  the 
number  of  parts)  Its  level  In  the  tree.  Here  is  a  sample  goal 
structure. 


LEVEL  0  •  ) 

. I .  ) 

III) 

LEVEL  1  #!•  #2*  #3«  ) 

I  ) 

LEVEL  2  e*2#l  )  GOALTREE 

. I .  ) 

I  I  > 

LEVEL  3  •#2ei#l  *#2#1#2  --  —  THISGOAL 


•  •  •  GOALLIST 

#2*1*2#!  #2#1#2#2  #2#1#2#3 


FIGURE  1 


Eaoh  goal  has  a  status  (not  shown  In  diagram)  which  Is  either 
"UNDER  TRIAL"  (only  THISGOAL  and  Its  ancestors  have  this  status)*  or 
"NOT  TRIED"  or  "PROVED”. 
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The  user  has  five  goal  oriented  commands  available:  we  give 
first  their  syntax,  then  detailed  desc r I ot I ons , 

GOAL  <wff>  ?(ASSUME ISASSUMO  <wff>  ; 

TRY  ?<lnteger>  ?<t»ctic>  ; 

(JED  ?<stepname>  : 

ABANDON  ; 

SCRATCH  <|ntegep>  i 

<tact ic>  : : r  CONJ  I 

CASES  <tepm>  I 
ABSTR  I 

SIMPL  ? _ (  (BYNO)  <stepname> ,  ) _ I 

SUBST  <stepnam«>  ?(0CC  __.#<lnteger>, _  >  I 

INDUCT  <stepname>  ?(0CC  < I nteger>, ...  >  I 

USE  <ldentlfler>  ?___# < I nstant I  at i on>, 

<  I  nstant  I  at  i  on>  *1=  < !  dent  I  f  I  er  >  *•  <term> 


The  GOAL  command. 


GOAL  specifies  a  new  goal  to  be  added  to  GOALLIST,  Its  effect  on  the 
goal  structure  of  Figure  1  is  ts  follows  (Figure  2>l 


) 

>  GOALTREE 
) 

!  ) 

•#2#1#2  ----THISGOAL 

I 

I. . 

I  I  I  GOALLIST 

•  •  • 

#2#1#2(M 


FIGURE  2 

(Notice  that  the  new  goal  Isn't  yet  under  trial) 


A  goal  iray  or  may  not  be  given  assumptions.  The  only  difference 
between  ASSUME  AND  SaSSUME  Is  that  In  the  latter  case#  when  the  goal 
is  tried#  the  assumption  wff  w|||  be  added  to  the  set  of 
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slmpllf Icatlon  rules  (See  Section  3,5)  for  the  duration  of  this 
goal's  trial,  Examples: 


(•••••GOAL.  FcGj 
INEwGOAL  #1  FcG 

I . GOAL  F(X)=G(Y)  SaSSUME  F=G,  X  =  y ; 

INEWgOAl  #2  F  <  X  >  =G  <  Y  >  SASSUME  F5c,  X  =  Y 


The  only  purpose  of  the  system's  reply  Is  to  allot  the  goal  a  number. 


The  TRY  command, 


TRY  specifies  one  0f  the  goals  of  GOALLIST  to  be  tried  (If  the 
<lnteger>  Is  absent,  the  last  goal  specified  Is  assumed),  if  the  user 
gives  no  tactic,  the  new  GOALLIST  will  be  null  (Figure  3), 


•  m 

m  m 

»  •  m 

m  m  m 

) 

) 

) 

i 

•#2#1#2 

_ 1 . 

> 

)  GOALTREE 
) 

1 

• 

1  I 

•  • 

1 

• 

) 

) 

thisgoal 


(GOALLIST  Initially  null) 
FIGURE  3 


But  If  the  user  g|vas  a 
for  him,  whose  number 
described  later  In  this 
QEO's  description  below 


tactic,  the  system  will  set  up  a  new  GOALLIST 
of  members  depends  on  the  taetlc.  TaCtlcs  .re 
sect! on.but  look  at  the  E*ample  following 
to  see  what  happens  without  them. 


The  QED  command, 


QED  Indicates  that  the  <stepname>  -  or  previous  step  if  no  <stepname> 

"  THI?G0AU  the  user  will  normally  9ay  QED  when  he  TRIED  this 

goal  with  no  tactic,  sometimes  the  user  has  been  able  to  prove  a 

°n' - .  1  any  of  th*  <awff>s  <tv>5<tv>  or  <tv>e<tv>  where 
the  <tv>8  are  distinct  members  of  <TT,UU,FF>  and  In  the  case  of  e  the 


2fl 


Hr.t  «»>  f«  mot  |j|,  Uf D  nil  mutt  •  oohtr.diotl.h,  .Inc.  it 

MWM  «  m  "*  »  >•**...  nauf.  j  ;E 

J  dif  trmci  t*»t  the  Status  of  n?»;^2i3  «  f  if  &>cam* 
urt^#F.  ff  thISGQal  (of  frjuM  2)  Htl  TRIED  wfth  t  e*fit?c, 
gpn^ratac  by  t *:»  tactic  art  flaw  HRfl£jYECI”i  the 

t*.i  thl- «r.  ••« 

>1*1  hqw  become  thiSg3*u*  end  *Mefl 
be  tFO^*u, 


^  -r  %\  in 

,rSfl&Vi.Q"i 

ind  a  !  |  vjkiKj  |  s 
sV(U"i  "Ml  diqN  ^grtflgr 


StflD  Afltf  tl I f 
•.niubtri  of  Its 


the  uptr 
C0ALU5T 


H^icn  gopi 
f*tn*  tn  to 


The  f o I  lowing 
I  lustrates  TRY  and  QEDj 


extnple  continues  the  one  above,  and 


I . TRY  2; 

113  f  =  g  (13) 

114  X  E  Y  (14) 
I 


)  The  system  makes  the  assumptions. 


|*#*«*appl  i3 , X j 
ll!»  E<X)=G(X)  (U) 


. . APPl  c#14; 

1 10  G(X)=G(Y)  (14) 


l***#*TRANS  15,16 
117  F ( X ) =G ( V  )  (13 


1«> 


| *****OED; 

IGOAL  #2  PROVED.  BACK 
IREMAIMNG  SUBGCALS: 

II  FcG 


) 

)  The  user  Proves  the  goa 

) 

) 


) 

) 

) 

UP 


TO  TOP  LEVEL.  ) 


> 


The  system 
backs  up. 


The  ABANDON  command. 


™:sSZind,™r  :rvh*ITr  ^5n,t  ,ike  m>  t.i.i... 

IUISG5Jft •  Ih®  «ffect  will  be  to  restore  Figure  3  to  Figure  2  -  but 
the  status  of  #2#1#2#3  becomes  again  "NOT  TRIED”,  Thus  °n£  furthe^ 
backing  up  can  haDpen,  0  TUrth,r 


The  SCRATCH  command, 

SCRATCH  removes  the  Indicate  Rosl  from  60ALUST.  HoH.ver,  the  system 
will  refuse  to  scratch  goals  generated  by  tactics. 
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Tactics  , 


We  now  describe  the  tactics  available.  There  are  six  basic 
ones#  each  based  on  a  particular  inference  rule}  In  addition  the  user 
may  employ  any  THEOREM  (see  section  3.7)  as  a  tactic, 

For  CON'J,  the  system  generates  a  separate  subgoal  for  each 
<awff>  in  the  goal, 

For  CASES ,  if  s  is  the  <tern>  and  P  is  the  <wff>  of  the  Goal, 

the  system  generates  the  5  3ubgoals  P  SASSUME  S  =  TT,  P  SASSUME  s=UU.  P 
SASSUME  s=FF. 

For  ABSTR ,  the  system  instantiates  in  each  <awff>  In  the  goal 
for  as  rrany  bound  Variables  as  are  bound  by  the  outermost  X  In  Its 
left“har.d  side,  thus  generating  a  single  new  subgoal,  New  variables 
are  chosen  which  are  not  free  In  the  proof  so  far.  For  example,  If 
the  goal  Is  C\X  Y.F(Y,X)J  =  Cx*i.G(2,2>]  ,  and  X  is  already  free  In 
the  proof,  the  new  goal  will  be  F(Y,X1)  =  G(X1,X1,Y), 

For  SIMP|_,  the  system  generates  a  new  subgoal  by  simollfytng 
the  goal  as  far  as  DOssible.  using  e-  modified  SIMPSET  (if  eny  "BY”  or 
"WO"  Is  present)  as  explained  in  Section  3.2  under  the  SIMPL  rule. 
The  n-oaifled  SIMPSET  remains  in  force,  but  the  old  one  will  be 
reinstated  when  the  new  goal  is  either  proved  or  ABANDONed  (see 
section  3.5),  If  the  system  discovers  that  all  <awff>s  of  the  new 
subgoal  are  identically  true  -  i.e.  they  are  all  of  tha  form  sc3  0r 
s=s  or  UUcs  -  It  initiates  the  backing  up  process  described  under  QED 
above  instead  of  generating  the  subgoal.  If  some  but  not  all  of  the 
<awff>s  are  identically  true  they  are  simply  omitted  from  the  new 
=5u&sea I , 

far  l;l?ST  ,  the  system  gantratee  a  new  subgoal  by  substituting 
tha  rn»  of  {steonimi>  the  ihs  of  <ttepnhnna>  In  the  goal  -  either 
througho  or  ot  me  designated  occurrences  when  an  <  I  nteaer  >-  1 1  it 
s  givor*  ( i't  t~e  cutlm  o*  occurrence  numbers  In  see  tig*  3,0), 

For  iNtlUCT,  f  et  u  n  t*e  <wff>  flf  the  ggtl*  The 
thi*  tec  names  has  the  form  sEL^y.t]  -  l,«.  that  ft  Fa  a  recursive 
definition,  M  that  tijt,  It  generates  two  new  subgotit  Th*  fJrit 
Is 

and  the  second  Is 

P(t{y'/y)/s)  ASSUME  P(y'/s> 

where  y'  is  a  v a r ; a b I e  not  previously  used  free,  and  where  the 

substitution  in  p  takes  place  at  appropriate  occurrences,  exactly  as 
for  SURSjT  above, 
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For  USE.  the  < I  dent  I f  I  e r >  is  a  THEOREM  name,  The  system  will 

instantiate  tht  THEOREM  by  matchirg  Its  consequent  to  the  goal, 

taking  Into  account  ony  instantiations  supplied  explicitly  by  the 
user*  and  win  yBn*r«ite  toe  appropriate  instance  of  Its  antecedent  as 

a  new  goal,  See  section  3,7  fcr  a  fuller  discussion  of  THEOREMS, 

Re  now  (jive  examples  of  each  tactic  (except  CONJ,  which  Is 
easy  to  understand).  Some  are  rea I  I st I ca I  I y  comb i ned . 


-|#####GOAL  p-X,P-*Y,E  S  p-X.Zj 
INEWGOAL  #1  P>*X ,  P^Y »  r  =  P-*X,Z 
I 

-»|#*##*TRY  CASES  p; 

INEWGOAL  aim  P-*X,P* Y,2  =  P*X,Z  SASSUME 
I.NEHGOAL  ala 2  P-X.P-.Y ,2  =  P*X,Z  SASSUME 
INEWGOAL  P  -*  X ,  P  *•  Y ,  if  =  P*X,E  SASSUME 

I 

-*i####*7k'Y  i  !>  I  Mp  L  • 

125  P  =  TT  (2D 

126  P-*X,P^Y,if  =  P-X,?  (25) 

I  GOAL  Ul* 1  PROVED,  BACK  UP  TO  GOAL  # 1 
I  REM  a  I  fi  I  r.G  Si'BGOAL?: 

12  . ?  SASSUME  P  £  JU 

13  p- . i  sassume  p  =  rr 

I 

-*|##**#THY  ?  S  I  MP  L  S 
I  (  etc  .  ) 


The  example  looks  long,  but  the  users  contribution  (shown  by 
"■’").  's  short,  (The  system  keeps  reminding  the  user  of  what  subgoals 
remain,)  The  “hard  ccpy“  proof  produced  by  the  SHOW  command  will  be 
comparatively  short. 

The  next  example  illustrates  the  remaining  tactics,  and  also 
application  to  a  particular  subject  matter  -  lists.  The  first  four 
steps  are  the  result  of  SASSUME  oy  the  user.  Note  also  the 
abbreviations  VX  Y,  etc.,  as  explained  |n  section  3.6. 


11  YX  Y.  HD(C3NS(X,Y) )  =  X  (1) 

12  YX  Y,  TL ( CONS ( X , Y ) )  =  Y  (2> 

13  VX  Y , NULL ( CONS ( X, Y ) )  =  FT  (3) 

I  4  NULL ( UU )  =  UU  (4) 

I 

*  |  •*#*#ASSUME  AP  =  «F.XX  Y ,  NULL  X-*Y,CONS<HD  X,F(TL  X,Y))J 
15  AP  =  C«F,[XX  YtNULL(X)-Y,C0NS(HD<X),F(TL(X)fY))]3  (5) 

I 

j 


P  =  TT 
P  =  UU 
P  =  FF 


)  Here  SIMPL  reduces  goal 
)  #1#1  to  Identity,  using 
)  25  ana  also  an  Instance 
)  of  CCNOT  as  simp,  rules. 
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I XP  5i 

6  aP  i  CXX  Y.NULL(X)-»Y,CONS(HD(X),AP(  TL  (  X  ) ,  V  )  >1  (5) 

#»  f*#GOAL  yX . AP( X, AP< Y, E) )  =  AP(AP(X, Y)  , Z) ; 

NEWGOAL  # 1  VX.AP(X,AP(Y,Z) )  =  AP(AP(X,Y),Z) 

###«#TRY  ImDUCT  5  OCC  1#4; 

NEWGQAL  #1#1  VX.  JU(X»  AP(  Y,Z)  )  =  AP ( UU ( X , Y ) #  ? ) 

NEWGOAL  #1#2  VX.CXX  Y , NULL ( X ) *Y , CONS { HO ( X > . FI < TL( X ) » Y ) ) 3 
(X,AP(Y,Z>  ) 

=  APtCXX  Y.NULL(X)-Y,C0NS(HD(X),F1(TL(X>,Y))3(X,Y),H) 

ASSUME  y X • FI ( X  f  AP ( Yf  Z  )  )  =  AP ( F 1 ( X , Y ) , Z ) 

*#*##TQY  1  abstr; 

NEWGOAL  #1#1#1  UU(X#AP( Y,Z) )  =  AP<UU(X,Y),Z 

##*#*TRY  SUBST  6  OCC  2} 

NE'WGOAL  #1#1#1#1  UU(X,AP<Y,Z)  >  = 

Cxx  Y.NULL(X)-*Y,CONS(HD(X),AP(TL(X)»Y))](UU(X»Y)#Z) 

#*##*TKY  S I MPL  5 

7  UU(X,aP(Y, Z)  )  =  cxx  Y.NULL(X)^Y,CONS(HD<X),AP(TL(X)#Y))3 

(UU(X,Y),Z>  (4) 

GOAL  FI#!#!#!  PROVED.  BACKUP  TO  GOAL  #1#1#1 .  NO  MORE  SUBGOALS 

8  UU(X,AP(Y, Z) )  =  AP(UU(X,Y),Z>  (4  5) 

goal  #i#i*i  proved,  backup  to  goal  #i#i.  no  more  sjbgoals 

9  VX,UU(X,AP<Y,Z>>  i  AP(UU(X,Y),Z)  (4  5) 

GOAL  #1#1  PROVED,  BACKUP  TO  GOAL  #1, 

REMAINING  SU3G0ALS: 

2  (Here  follows  a  restatement  of  goal  #1#2> 

(etc. ) 


Note  tnat  simp  l  I  f  I  cat  I  on  (using  the  built-in  s  I  mp  I  i  f !  cat  l  on 
rules  C  0  N  V  and  MIN2  and  CONDU  as  well  as  Step  4)  reduced  got! 
#i#l#l#l  to  identity*  and  the  system  generated  3tep  7  on  these 
grounds,  In  backing  up#  it  generates  an  explicit  final  step, 
identical  to  the  goal  statement  in  Its  wff,  to  tie  up  the  proof  of 
each  goal  Proved, 

Note  also  that  the  user's  contribution  (indicated  by  "*")  Is 
short  In  the  above  example. 

Finally#  here  is  an  example  of  a  THEOREM  used  as  a  tactic 
(read  section  3,7  first!).  It  also  shows  how  the  user  can  make  many 
of  the  inference  rules  into  tactics  -  even  using  the  same  names,  Of 
course,  THEOREMS  used  as  tactics  will  at  least  as  often  be 
suostantial  results  previously  proved  and  filed  (consider  the 
frecjuent  occurrence  in  informal  proofs  of  "to  prove  XXX  it  Is 
sufficient#  by  Theorem  AAA#  to  prove  YYY  and  ZZ2"). 
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first*  to  nake  a  THFOREN  out  of  the  TRANS  rule: 


l ***** assume  x=y,  yee: 

151  X=Y  (5l> 

152  Y=2  {52) 

I 

I ****#TRanS 
15.5  X  =  2  (5i  52) 

I 

I . THEOREM  Trans:  53 

I  THEOREM  TRANS:  XEE  ASSUME  XEY,YSE; 


Mow  to  use  TRAMS  as  a  tactic: 


. . GOAL  F(A*X)=G(X)j 

INEWfiO^L  #1  F ( A , X ) EG ( X  ) 

I  TRY  use  TRANS  Y*-h  <  x ,  A  )  j 
INE#Ic0al  #1#1  f(A,X)Eh<X,A> 
INEMGOaL  Al#2  H(X,A)=G(X) 


Note  that  the  Y,Y,2  of  the  Theorem  are  metavar i ab I es  which  do  not 
conflict  with  the  varieties  of  the  proof. 


5,4  Miscellaneous  Commands 


The  SIMPSET  command, 


S I M S 1 7 _ <  {+!-)  i  < range> ,  ___  )_____  ; 


The  steps  designated  are  aeloee  to 
simplification  rules  (See  section 


or  removed  from  the  set 
3.5), 


of 


/ 
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The  SHOW  command. 


SHOW 

(  AXIOMS  ?(  <  ___,< id0ntif i e r > # >  )  I 

THEOREMS  t (  (  lep>,,__  )  )  | 

GOALTREE  »  <  range> , _  | 

THISGOAL  | 

COALLIST  I 

PROCE  ? i<ran3e>» | 

STEPS  ? ,<r*r,3e>, | 

SIMPSET  ?___, <range> , _ 

LABELS  ?...#<range>, ) 

?<  <  I  dent  i  f  i  eO  ?<lnteger>  )  ; 

Ii  the  final  <ldentlfier>  is  present  the  material  Is  sent  to  the  file 
nameo,  otherwise  it  is  displayed  on  the  console.  The  final  <integer> 
if  present  denotes  the  line-width. 

If  a  <range>-  or  < I  pent i f I er >- I i st  Is  not  Present,  the  whole  is 

shown,  The  < I dent i f  i e r >- I  I st  for  AXIOMS  or  THEOREMS  denotes  the 
particular  axioms  or  theorems  required.  The  <range>-|ist  for  GOALTREE 
refers  to  levels  (z  is  top  level),  and  for  PROOF,  STEPS,  SIMPSET  end 
LABELS  refers  to  steonumbers.  Thus 

SHOW  STEPS  :  3,  8,  20:23,  30,  55 1  J 

will  show  steps  1,2,3,8.20,21.22,23,30  and  55  onwards  of  the  proof, 
with  no  goal  structure;  SHOW  PROOF  will  show  steps  with  g0al 
structure,  so  Is  normal|y  used  with  a  single  <range>,  or  a  whole 
proof.  Only  the  stepnumbers  bound  to  LABELS  are  shown. 


The  FLTCH  command, 


FETCH  < j dent i f I er > » ...  ; 

The  < i dent  I f ier>- I i st  names  files.  Axioms  end  theorems  on  those 
files  will  oe  brought  In.  In  fact  any  admissible  commands  on  these 
f,les  will  be  treated  exactly  as  If  typed  at  the  console  -  e,g. 
ASSLMpt ions  may  be  made  -  so  the  user  may  prepare  such  flies  other 
than  by  SHOWING  axioms  or  theorems.  Much  0f  what  a  user  types  Is 
dependent  on  the  steonumbers  that  the  system  Is  generating,  so  tha 
use  of  flies  prepared  offline  is  limited.  However,  this  difficulty  Is 
somewhat  alleviated  by  the  LABEL  command  (see  below),  The  files  are 
expectec  to  be  simply  sequences  of  commands,  so  several  files  may 
easily  be  concatenated  without  editing. 


The  CANCEL  command. 
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CANCEL  ?<steoname>  ; 

This  steps  back  through  the  <stepname>  given,  otherwise  Just  th.  i  * 
step,  Cancelled  steDs  are  ,r“'se  Ju*t  the  lest 

encountered  will  b0  Ag ANOOfJed  It  Is  not r!L« fh?  SIMpSET,  Goal  trials 
any  step  which  proves  a  goal,  S  t  D088,e,#  t0  cancel  back  oast 


The  INFIX  command, 


INFIX  < }dent If ier>,_._  j 

uses  all  the  < I  dent  I f I eP>s  named  to  be  treated  exactly  as 

s  (see  t  ■* 


<inH«>«U**f  a"  th*  <ld*nt,f  l,r>s  '’•"•K  to  b,  tr» 

^enc  f*?*1?"  f;6?'  I"  «rtl.u|.r,  th, 

«ro  .  tnem  In  non-infix  contexts, 


user  must 


Tne  PREFIX  command, 


PREFIX  < i dent  I  f far >» ._.  { 


. . . . 


The  LABEL  command, 


LAfiEL  ..., <  j  dent I f I er>  ?<steoname> , , 

>i;»  th. 

hus  t't*r  PL*HtL  00  -  r  th*  3,Ivun  *  * I  !  f!*4*  18  ”  9*n*ra|#tf, 
succeetcri  may  be  |1I#r  r ef mr *n0#<,  ty Va  *a*c **sor e  and 

".Lib*lrt  ftc,  by  me  <iteon*ne>,  T,po-i", 


3.5  Slmpi If leatlon  Rules, 
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At  any  stage  In  a  proof#  there  Is  e  current  set  of 
smpl If leatlon  rules.  Steps  may  be  added  to  or  removed  from  the 
simplification  rule  set  (SIMPSET)  In  five  ways) 

•  By  SASSUME  (See  Section  3,2) 

•  By  the  sImPsEt  command  (so  Section  3,4). 

•  By  the  goal  taotlc  SIMPL  (See  Section  3.3), 

•  If  the  SIMPSET  Was  modified  by  attacking  a  goa I 
with  a  SASSuMptlon  (sea  section  3,3)  or  by 

using  the  Sjmpl  taotlc#  then  it  will  be  automatically 
reinstated  when  the  goal  Is  proved  or  ABANDONed, 

•  By  CANCEL  (see  seotion  3,4). 

Simplification  Is  Invoked  only  by  the  SIMPL  rule,  (3.2)  and  by  the 

SIMPL  taetlo  (3,3),  The  rules  are  then  applied  repeatedly  to  all 
subterms  of  the  appropriate  awff  or  term  until  they  oan  be  applied  no 
further , 


An  application  of  a  simplification  rule  s  =  t  consists  In 
finalng  all  occurrences  of  s  and  replacing  them  by  t  (so  the  user 
must  be  careful  not  to  make  something  like  F(X)s  C(F(X))  a 
simplification  rule*  or  he  will  cause  Indefinite  expansion!),  in 
addition#  In  the  case  of  a  simplification  rule  Vx  y  , . ,  ,  a  s  t  *  all 
Instances  of  s.  gained  by  replaolng  x,y,...  by  arbitrary  terms  In  s# 
will  be  replaced  by  the  appropriate  Instanoes  of  t. 

There  are  five  built  in  rules:  CQNV  (X-CONVERSlON) ,  MIN2 
(UU(s)  E  UU)  and  C0nDT,  CONDU,  CQNDF  (simplification  of  conditionals) 
(see  these  rules  of  Inference  In  3,2),  Together  with  the  previously 
mentioned  feature,  this  will  allow  the  essumotlon 

VX  V , HD ( CONS ( X , Y ) )  E  X  * 

when  used  as  a  simplification  rule#  to  reduce 

HD(C0NS(sl,s2>) 

via  CXX  Y , X] ( si #  s2 ) 

to  si  , 

Sueh  formulae  may  usually  be  kept  permanently  In  the  SIMPSET.  Others# 
notably  the  SASSUMDtions  of  the  CASES  tactic,  will  eome  and  go  under 
system  control,  Still  others  the  user  will  need  to  handle  hlmselfl  a 
gooa  example  Is  the  result  of  FjXP  on  a  recursive  definition  of  form 
*  =  "  th®  result  has  form  s  5  t<s/x)  and  so  can  lead  to 

Indefinite  expansion  as  a  s I  mo  I  I f I  oat  I  on  rule,  but  wi||  not  do  so  In 
the  ease  that  the  recursive  computation,  which  it  will  carry  out# 
terminates  as  a  consequence  of  other  members  of  SIMPSET, 


•*,o  S  y  r  t  a  x 
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as  well  as  the  usual  g NT  conventions  we  use  the  following: 

\  }  arfi  for  Grouping  syntax  patterns. 

•  before  a  pattern  means  optional, 

means  one  or  more  instances  of  the  pattern  P, 

' -  ^eans  onj  cr  more  instances  of  P  separated 

by  commas, 

<wf  f>  :  :=  ___,<awf  f>,__ 


<awff>  ...  7 - {  y  »__»<identifier>.„__  |  <term>s:  ) _ 

<  te  r  m>  (=ic)  <term> 

<te  rm>  ::s  <  Jnf  j  xtern>  I  <cor,d  1 1  i  ona  I  t«rm> 

<cond  i  t i one | term>  <lnfixterm>  -  <term>  .  <term> 
<infixterm>  :jr  <s!mplet*rm>  ?...{< Inf J x><8 Imp  I ettrm>) ... 


<  s  i  mp  i  e  te  r  m>  j:s  <closedterm>  ?...(  <c  I  osedterm>  | 

(  <term>,  ___  ) 

<closedterm>  j;s  < I  dent i f I e r >  1  <X te r m> | <«*te r m> i <te r mname> I 

(<  fcerm>) 

<termnarr,e>  : :  s  ?<  : G I : <stepname>  )  ?{  :<integer>  >  CUlR) 

<Xterm>  ::=  [  x _ < I  dent i f I e r .  <term>  J 

<®term>  =  [  a  < | dent • f  ier>  .  <term>  ] 


<identlfier>  ;:=  <word>  I  ! < I n  f  i  x  >  I  -  |  a 


<worh>  : : =  {< i etter> I <d I g  I  t>  I  . 

<infix>  ;;s  any  of  the  single  characters 

nul  |+-»*av/\((8^<><>^s«T4^ 
or  any  <w0rd>  wjth  current  INFIX  status  (3,4) 

Spaces  iray  occur  anywhere  except  within  a  <word>,  Put  are  only 
necessary  to  separate  <woro>s  or  to  separate  from  a  digit 
~ *  z  ^  •  The  latter  Is  because  the  mlI3P2 


(  e  ,  s .  I  r  "  V  x 

narser  takes  M,3'*  as  a  single  element  or  token. 

may  oe  omitted  when 


The  brackets  round  <Xterm>s  anc  <aterm>s 
no  a (ro  I  gu  I  ty  ar  i  ses , 

Exan-pies  follow,  with  Intended  interpretation: 
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•  P-*Q-*x,  Y,  R-.Y,  £  is  a  <cond !  1 1  ona  I  terf’>»  abbreviating 

P-(Q-*X.Y)»  (R-Y.Z) 

•  AP(AP  X  Y , £ )  is  a  < s  i  mp I e te r m> ,  abbreviating 

AP(AP(X,Y),2)  or  AP< (AP(X)  )Y»2) 
ar  <AP(<AP(X))Y))2 

(Thus  the  type  which  we  should  associate  with 
AP  Is  <f3-*(0-*P) ) «  where  0  is  the  type  of 
I  n<j  i  v  I  dua  Is.) 

•  XX  Y.NULL  X-.y,Tl  Xp  is  a  <Xterm>,  abbreviating 

CXX.CXY,  (NULL<X)'*Y,TL(X)  )]] 

•  P  s:  X  =  y  Is  an  <awff>(  abbreviating 

P-X,UU  =  P-Y.UU 

•  vx,  F ( X i x )  =  y  is  an  <awff>,  abbreviating 

XX  i  F ( X, X )  =  XX, Y 

•  VX  Y,  X=Y  s ;  X  S  Y  Is  an  <awff>,  abbreviating 

XX  Y.X=Y-X,UU  =  XX  Y,X  =  Y-*Y,UU 

•  U  =  XX  L.  X=HD(L)-TT,  XeTU(L) 

Illustrates  the  "!"-lng  (which  may  pronounced  "shrieking" 
or  perhaps  '’howling")  of  <infix>es»  which  is  necessary 
whenever  they  are  mentioned  In  a  non-lnflxed  context. 

Many  examples  of  <wff>3  and  <awff>s  occur  throughout  this  paper, 

Caution!}  Some  commands  refer  to  occurrences  of  a  <term>  in  a  <wff>. 
Occurrences  are  counted  from  left  to  right  after  all  occurrences  of 
(which  Is  an  abbreviation  for  legibility  reasons  only)  have  been 
expanded  as  indicated  in  the  examples#  and  with  <infix>*s  considered 
as  prefixed. 


3,7  Commands  for  Axions  and  Theorems 


W.  now  describe  h0w  the  usor  may  create,  store  away,  and  fetoh  axioms 
sessiUns^on'  bui,dJu:5  d  fil«  of  results  over  severe 

each  tlire, 


computer,  end  does  not  have  to  start  from  scratch 


we  start  with  a  sincle  example,  and  then  describe  the  new  commands  In 
dete  I  I  , 


. AXIOM  LISTS: . , VX , NULL  X 


X  =  NIL,...; 


Ijhe  user  creates  an  axiom  consisting  of  several 
<awff>s:  the  exanple  uses  only  one,  so  the  others 

are  represented  by  - ,  The  system  lists  them 

for  him  -  as  new  steps  -  and  w|||  remember  the 
I co l lection  by  its  name:  -  LISTS. 


AXIOM  LISTS 

1  -  -  - 
2  -  -  - 

3  vx,null<X)  : :  x  =  ml 

4  -  •  - 


. SASSUME  NULL  YSTT; 

5  NLLL(Y)sTT  (5) 

. .  3, Y; 

6  CXX,NULL(X)-*X,UU3(Y)  =  CXX,NULL(X)-»NIL,UUD(Y) 

I MPL  6; 

7  Y=NIL  (5) 

1  Note  that  the  SASSUMptlon  5  has  been  used,  so 
lit  appears  as  a  condition  for  7, 

. THEOREM  UNJQUENULL:  7; 

iThe  user  wants  to  keep  the  result  7  -  he  will  be 

Ibe  able  to  Instantiate  for  Y  in  later  use,  so  the 
j system  really  treats  It  as  a  metatheortm.  The 
I  system  writes  It  In  full  for  him,  reminding  him 
Ithat  It  deDends  on  LISTS:- 

thecrem(lists)  uniouenull;  y=njl  assume  null<Y)=tt 


ISuppose  that  the  user  proves  some  more  theorems, 
land  then  wants  to  keep  his  axioms  (there  may  be 
lothers  besides  LISTS)  and  theorems,  He  says: 
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•••••SHOW  AXIOMS  AXFILEj 
•  ••••SHOW  THEOREMS  THFUEJ 

I  He  can  actually  select  just  some  to  be  kept  (3,4),  Also 
Ilf  he  omits  the  filename,  they  will  not  be  kept 
I  but  displayed, 


---  NOW,  ON  SOME  LATER  OCCASION? 


IThe  user  decides  he  now  wants  to  talk  about  lists, 
land  would  like  the  theorems  that  he  previously  proved, 

•••••FETCH  AXFILE,  THFILE) 

AXIOM  LISTS 

15  .  -  . 

16  •  -  • 

17  VX.NLLL(X)  ll  X  =  NIL 

18  •  •  • 

THEOREM  (LISTS)  UNIQUENULL:  Y=NIL  assume  NULL ( Y )  5TT 


iRemember  there  may  have  been  Other  axioms  and 
Itheorems  on  these  flies  (they  should  have  been 
I  at  least  represented  by  -«•«,  Put  we  didn't 
Ibother ) , 

I 

IThe  crucial  point  Is  that  all  variables  whloh 
lare  free  In  the  theorem,  but  not  free  In  the  axioms 
Ion  which  It  depends,  may  be  Instantiated,  and  the 
luser  can  fore®  an  Instantiation  by  using  the  theorem 
las  an  !nference  rule.  Suppose  later  he  proves  (step  23 )  I 


23  NULL ( HO ( 2 ) ) = TT  (15  18) 

I  He  appllas  the  theorem,  as  follows  (and  In  this 
lease  the  only  free  Instentlable  variable  Is  Y)l 

•••••USE  UNIQUENULL  231 

24  HD(2)=NIL  (15  18) 

lit  Is  possible  that  not  all  the  Instantlable  variables 
loccur  In  the  hypothesis  of  the  theorem!  the  full 
Ideflnttlon  of  the  USE  oommand  shows  how  they  may 
Ibe  Instantiated, 
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We  row  give  the  new  commands  which  concern  axioms  and  theorems! 


The  AXIOM  command. 


AXIOM  <ldentifler>  s  {<stepname> I <awf f >) , ___  j 

The  system  will  remember  all  the  <awff>s#  mentioned  explicitly  or 
designated  by  an  <steoname>,  by  the  name  < I oent I f I er > )  It  also  lists 
therr  -  each  with  a  new  steonumber.  Thereafter,  any  THEOREMS  created, 
and  saved  by  the  SHOW  command,  will  be  tagged  as  dependent  on  this 
axiom. 


The  THEOREM  command. 


THEOREM  {  <identlfler>  :  <stepname>  I 

?(  < _ •  <  I  dent  I  f  I  e  p  >* _ )  > 

<identlfler>  :  <wff>  ?(  ASSUME  <wff>  )  )  j 

The  first  option  Is  for  naming  a  proved  result  -  designated  by 
<stepname>  *  as  a  theorem,  The  second  option  is  for  naming  an 
explicit  sentence  -  i,e,  <wff>  ?(  ASSUME  <wff>  )  -  as  a  theorem#  and 
saying  what  axioms  It  depends  on  (the  lists  of  < I  dent  I f | «r>s  Is  a 
list  of  axiom  names ) , 

In  the  first  option,  the  system  will  remember  the  theorem  by  name, 

and  tab  It  as  dependent  on  all  axioms  orasent  In  the  system. 

In  the  second  option#  the  system  will  check  that  the  axioms  mentioned 
are  present  (If  n0t  It  will  warn  you)  and  in  any  case  will  remember 
the  theorem  by  name,  and  ta9  it  as  dependent  on  the  axioms  mentioned. 
This  option  is  used  by  the  system  as  follows;  when  the  user  saves  a 

THEOREM  on  a  file  using  the  SHOW  command,  what  the  system  writes  on 

the  file  Is  precisely  an  Instance  of  the  second  option,  so  that  when 
the  user  FETCHes  the  theorem  on  a  later  occasion  he  will  be  warned  of 
any  appropriate  axioms  that  are  not  oresent  so  that  he  can  FETCH 
then,  too. 
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The  USE  commend, 


USE  <ldentlfl«r>  ,  <stepname>, ....  ?(  *  ...» < > nstant I  at  * on> » —  >  l 

<  |  nstant  I  at !  on>  :«  =  <identlfler>  *•  <term> 

The  first  <ldantlfler>  mutt  be  a  THEOREM  name,  and  the  system  cheoks 
that  *11  axioms  0*  which  It  depends  ape  ppeaent,  The  system  treats 
the  theorem  as  a  metatheorem  In  that  all  Its  free  variables?  exoept 
those  which  ape  free  In  axioms  on  which  It  depends,  are  treated  as 

metavariables  to  be  I netant lated.  The  user  supplies  the 

Instantiation  In  part  In  two  ways,  First#  the  list  of  <ete?name>e 

designates  a  Met  of  <ewff>s»  and  some  or  all  of  the  metavar  I  ab  j  es 
are  bound  by  matching  this  list  to  the  anteoedent  list  of  the 
theorem, 

Second  (since  there  may  be  metavariables  whloh  occur  only  In  the 
consequent  of  the  theorem)  the  user  may  fllve  a  list  of  Instantiations 
each  of  which  binds  a  term  to  a  metavariable. 

Any  metavariables  not  thus  Instantiated  will  Just  be  left  ee  they 
stand,  After  matching,  the  USE  command  will  generate  a  new  step 
which  Is  simply  the  appropriate  Instantiation  of  the  consequent  of 
t.he  theorem.  Example: 

.................  — 

|*****AXIOM  AXl;  X=Yj 

I  AXIOM  AXl 

II  X  =  Y 

I **#**THEOPEM  (AXl)  THU  P5H  ASSUME  2=Rl 


15  F(Y)=G(X,Y>  (2  6) 

. USE  TH1  15#  P-H(X)} 

16  H(X)sFCY)  ( 2  6) 
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4.  HOW  TO  USE  THE  SYSTEM  LCF 


4,1  Initialization  and  Termination 


R  LCF 

The  system  returns  with  an  asterisk!  you  are  now  talking  to  LISP, 
(INIT) 

This  will  Initialize  the  system, which  returns  with  5  asterisks!  you 
are  ready  to  generate  a  oroof  by  the  commands  of  Seotlon  3.  5 
asterisks  Is  always  the  signal  for  a  command.  Remember#  all  commands 
end  with  a  semi  colon. 

To  flnlsn  a  oroof  (after  maybe  preserving  It  on  a  file  using 
SHOW)  type 


The  system  will  type  EN0PR00F  and  you  are  then  ready  to  start  another 
proof  with 

(  I N I  T  )  , 

It  Is  possible  to  save  your  core  Image  so  as  to  resume  the 
proof  at  a  later  time.  To  do  this  type 

♦  C 

SA  VE  < f  I  I ename> 

and  you  can  then  either  continue  Immediately  by 

START 
( RESUME ) 

or  at  a  later  time  by 

RUN  < f I | ename> 

(RESUME) 


3b 

4.2  Errors  and  Recovery 


There  are  three  tyoes  of  error  message: 

9  If  you  commit  a  syntax  error  In  a  command,  the  system  says 
SYNTAX  ERROR!  TRY  AGAIN 

•  If  your  command  Is  semantically  susoect  -  for  example,  you 
try  to  apply  TRANS  (transitivity)  to  two  steps  for  which  It  Is 
Inappropriate  -  you  will  get  something  like 

NASTYTRANSJ  TRY  AGAIN 

•  If  you  break  the  system  somehow  and  get  a  LISP  error, 
usually  something  like 

3246  ILL  MEM  REF  FROM  ATOM 


then  you  can  try  something  different  (your  first  command  may  yield  a 
syntax  error,  In  which  case  Just  repeat  It)  J  however,  this  should 
not  occur  and  Malco|m  Newey  or  I  would  like  to  know  how  It  occurred, 

If  the  system  gets  Into  a  loop  (the  only  known  cause  Is  If 
your  SIMPSET  allows  Indefinite  expansion)  then 

♦  C 

STArt 

(RESUmE) 

will  restore  you,  If  you  thereby  abort  a  (long  or  looping) 

simplification  invoked  by  the  SIMPl  tactic  you  will  also  need  to 
ABANDON, 
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